Klaus Ethgen klaus+usenet@ethgen.de writes:
Hi,
Dieter Kluenter dieter@dkluenter.de schrieb:
So my question is what is the rights that are needed for which entry attribute (in tree) to allow read, write, search or other access to other attributes?
entry and children are so called pseudo attributes. They are mainly used to allow access to children of an entry. As example you have an entry ouers,dcample,dcm and want to allow access to children of this entry but no read or write access to the entry itself, a rule set could be
access to dn.onelevelers,dcample,dcm by users write by anonymous auth access to dn.baseers,dcample,dcm attrstry,children by users write by anonymous auth
Thanks for your answer. But it do not makes that clear for me. I did found some examples with entry and children but the description about ist not clear for me.
The children attribute might be somewhat clear. But the real mysteric is the entry attribute and as the logic seems to be somewhat identical also the real meaning of children.
For example: [1] access to attrs=sn by * read
[2] access to attrs=entry,sn by * read
[1] will not allow to read the attribute sn. Only with [2] that will work. However, _I_ would expect that all attributes of that particular entry would be readable with [2] but only the sn attribute with [1]. And exactly there is my problem with the understanding.
Well, if [1] doesn't allow read access then there are other rules which prevent this. The only function of the pseudo attributes entry and children is to allow the access parser to check whether the referenced object and subentries exist. Just to give an example, the last acl rule of my slapd.conf is
access to dn.base="o=avci,c=de" attrs=entry,children by group.exact="cn=Administratoren,o=avci,c=de" write by users read by anonymous auth
A search with base o=avci,c=de and scope subtree results in the following acl parsing: => access_allowed: search access to "o=avci,c=de" "entry" requested
-Dieter
openldap-technical@openldap.org
-
Dieter Kluenter